# Authority Binding Matrix (DPoP / mTLS) — AU2/AU3

All values deterministic and sorted by flow, tenant, environment.

## Enforcement Matrix
| Flow | Tenant scope required | Binding | Nonce policy | Audience rules | Notes |
| --- | --- | --- | --- | --- | --- |
| device_code | tenant required; env optional | DPoP (ECDSA P-256) | nonce TTL 120s; single-use; clock skew ±30s | `aud` must match service; reject wildcard | Offline: tokens minted against cached JWKS; nonce list capped 1024 entries |
| auth_code | tenant required; env required | mTLS (SPIFFE) | n/a (channel bound) | `aud` == service; `azp` == client; enforce PKCE | Supports delegated authz; cert SAN must match client_id |
| client_credentials | tenant required; env optional | DPoP (Ed25519) or mTLS | nonce TTL 300s; rotate per token | `aud` == service; forbid multi-audience | Use mTLS when hardware root is available; else DPoP fallback |

## DPoP Requirements
- Proof `htu`/`htm` must match request; reject if clock skew >30s.
- JTI single-use; store for nonce TTL window; evict oldest on cap.
- Accept curves: P-256, Ed25519; forbid P-384/521 until crypto profile registry marks active.

## mTLS Requirements
- Client cert must chain to approved trust roots per tenant.
- SAN must include `urn:stellaops:client:{client_id}`.
- Require OCSP/CRL freshness ≤10m (offline mode: last good CRL/OCSP cached and timestamped).

## Negative-path examples
- Reject DPoP without nonce; reject reuse within TTL.
- Reject auth_code where `aud` contains wildcard or mismatched service.
- Reject client_credentials with missing tenant claim or multi-audience list.